Skillset

Works against Java, AppleUpdate, Google Analytics, Skype, Blackberry and more

Introduction

We all know that hackers are constantly trying to steal private information by getting into the victim’s system, either by exploiting the software installed in the system or by some other means. According to one stat, more than 60 percent of Adobe Reader users have unpatched versions, leaving them vulnerable to attacks. By performing routine updates for their software, consumers can protect themselves, patching known vulnerabilities and therefore greatly reducing the chance of getting hacked.

Commonly used software, such as MS Office, Adobe Flash and PDF reader (as well as the browsers themselves) are the major targets for exploits if left unpatched. In the past, fake patches for Firefox, IE, etc. displayed messages informing users that updated versions for a plugin or the browser were available, prompting the user to update their software. For example, the page will tell the user that updating their Flash version is critical. Once the user clicks the fake update, it will download malicious content (like, for example, the Zeus Trojan) to the victim’s computer, as well as perhaps a rogue anti-virus, asking the user to pay in order to remove the infections. Similar attacks have been done in the past for various browsers, too.

Normally, if there is an update for the Firefox browser, the update notifications are displayed as popups rather than webpages. A better way to check for any update in Firefox is go to the Help optionàselect “about Firefox.” If the browser needs an update, it will display something that says “apply update.”

If you are not sure about your applications,

Do check their official website or the particular application website.

For checking updates, goto the URL http://www.mozilla.org/en-US/plugincheck/. The Url generally scans your Firefox for any updates for the installed plugins and gives information saying like if the plugin is vulnerable or need updating or it status.

Most people avoid updating since it can be annoying at times. But if we are handling sensitive information in our systems, then updating and patching up the important software should be of high priority.

When you think about it, how many people are really cautious about the updates, the type of update or the link from where they are downloading and installing the update? Obviously, there are very few people that are really cautious and vigilant about updates, therefore making the success rates for those exploiting the users high. One effective way of exploiting users is by using tools like EvilGrade.

Before moving on to EvilGrade, let’s have a look at a bash script which can automate Manning in the Middle and exploit the user by providing a fake update. This is done by setting up a DHCP and web server. Once that is done, create an exploit using msf and wait for the victim to connect to your fake update server and run the exploit. Once the fake update has been executed, the victim’s pc gets exploited and grants access to surf the victim’s system. We can also have options like sniffing, using the dnsiff suite, in order to spy on the victim.

We can extract the bash script via tar zxf metasploit-fakeUpdate[v0.1.4].tar.gz and copy to the ‘www’ folder to /var/www (cp www/* /var/www/).Now edit the metasploit-fakeupdate.sh with your “internet”interface. And bash metasploit-fakeupdate.sh. Once these steps are performed, wait for the target to connect for further exploitation.

The commands are as follows

tar zxf metasploit-fakeUpdate\[v0.1.4\].tar.gz

cd metasploit-fakeUpdate\[v0.1.4\]

cp www/* /var/www

ifconfig

kate metasploit-fakeUpdate.sh

bash metasploit-fakeUpdate.sh

About EvilGrade:

EvilGrade is a framework which the exploits weaknesses in the auto-update services of multiple common software packages and the attack performed by this framework is one of the best example for client exploitation. This framework tricks the service into believing there is a signed update available for the product, thus prompting the user to install the upgrade where the upgrade is the attacker’s payload. This type of attack is a bit difficult for a normal user to detect since they don’t see anything suspicious and the upgrade looks legitimate.

We can use this framework with the combination of DNS spoofing or Man-in-the-middle attack in order to spoof the software upgrade. This therefore tricks the victim into downloading the upgrade, thereby executing our malicious arbitrary code.

Evilgrade takes the advantage of various applications because most of these verify neither the update contents nor the master update server. Basically, in this type of attack, the attacker seeks to modify the DNS traffic of the victim and return them to some other ip address controlled by the attacker.

General update process scenario:

An Application starts the update process and tries to request from its dns server host (like, for example update.notepadplus.com). The DNS server also replies with some information. Now the application gets the file lastupdate.xml from update.app1.com and the Application analyzes the update file. If it detects a new update, it will then install it.

In this example, let’s target the software-notepad ++ by creating a malicious upgrade. To configure a specified module, the simple command would be

evilgrade>configure notepadplus

To view the options for the selected module, use the command “show options”.

Note: Here in the image, the “VirtualHost” address is important – it will be used later on to perform the attack.

The next step would be setting up the agent. The agent is nothing more than our fake update binary. We will have to set the path to where it’s located; we can also create and implement a dynamic fake update binary generation, where we will be able to generate any payload of Metasploit or use any other interface to create the binary. We can configure the agent with our payload using msfpayload like, for example, shell_reverse_tcp. We can create the payload and use them either within the EvilGrade console or else create a payload outside the framework and then call it when required.

Method 1: To create the payload within EvilGrade, the command which we are going to use is

Here, we are setting up the fake update binary with the payload “windows/shell_reverse_tcp” using a reverse shell to connect at address 192.168.75.130(attacker’s ip address ) port 1234. The label <%OUT%><%OUT> is a special tag to detect where the output binary is going to be generated.

Now, we can call this payload within EvilGrade by the following command.

evilgrade(notepadplus)>set agent /tmp/reverse-shell.exe

Once this is all set, we need to start the EvilGrade server. This is done again by a simple command named start.

Now the server has been started. The next step would be configuring the Man in the Middle attack using Ettercap. As I said earlier, EvilGrade, along with the combination of DNS spoofing or Man-in-the-middle attack, can be used to trick the victim. So let’s configure etter.dns.

Once your network interface card is selected, enable the dns_spoof plugin by double clicking on it. This plugin can be used to redirect the request from victim to Evilgrade server. Click Plugins –> Manage the plugins –> Double click dns_spoof.

Now let’s scan hosts in our network. Click Hosts –> Scan for hosts.

Once the scan for host is performed, select host list to view the hosts found in the network. The result would be similar to this

We also need to perform an MIMT attack to intercept all data on network. Click Mitm –> Arp poisoning –> check “Sniff remote connection”. Before we start sniffing, there is another important thing we should do to setup the target. Add the router address to target 1 by clicking “Add to Target 1” and similarly victim’s ip address to target 2 by clicking “Add to target 2“.

Once the sniffing has started, use Netcat for listening to the particular port defined in the Evilgrade. In this case, it is 1234.

Now, just wait for the victim to open his/her notepad plus. Once they open, they will get a pop up asking for update. If the victim follows through with the upgrades, you will be getting their shell from where we can further exploit them or something else, depending on your imagination.

Conclusion:

EvilGrade is a very powerful tool for penetrating in to a remote system. With the help of tools like ettercap, its lethality is further enhanced. The framework is platform independent, i.e. the tool can penetrate any system whose update session can be hijacked. Mitigation for this kind of attack hasn’t been cent percent achieved. One protection against this could be for the user to simply steer clear of any update coming from an unknown network.

The best part of this tool is that the attack is not meant only for attacking Windows systems, but any vulnerable update mechanism. The only thing that the attacker has to do is hijack the update process on a targeted computer over the network. After that, game over.

Hari Krishnan works as a security and bug researcher for a private firm, as well as InfoSec Institute. His interests largely encompass web application security issues. Hari is also an organizer for Defcon Chennai (http://www.defcontn.com).

About InfoSec

InfoSec Institute is the best source for high quality information security training. We have been training Information Security and IT Professionals since 1998 with a diverse lineup of relevant training courses. In the past 16 years, over 50,000 individuals have trusted InfoSec Institute for their professional development needs!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

How will you fund your training?

Why Take This Training?

What is your timeline for training?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam